Difference between revisions of "ESciDoc Authorization Authentication"
| Line 11: | Line 11: | ||
More details on the core service authorization concept in [https://zim01.gwdg.de/repos/smc/tags svn, framework_release, cpt_authorization_authentication] | More details on the core service authorization concept in [https://zim01.gwdg.de/repos/smc/tags svn, framework_release, cpt_authorization_authentication] | ||
====Predefined Roles==== | |||
At present there are several pre-defined user roles for core services i.e. author, moderator, editor, etc. | At present there are several pre-defined user roles for core services i.e. author, moderator, editor, etc. | ||
These roles are in general derived from some basic requirements of the solutions for PubMan and SWB. | These roles are in general derived from some basic requirements of the solutions for PubMan and SWB. | ||
| Line 19: | Line 20: | ||
* Action - an action executed on a resource (e.g. create <resource>, update <resource>, create <subresource>, etc.) | * Action - an action executed on a resource (e.g. create <resource>, update <resource>, create <subresource>, etc.) | ||
* Conditions - a condition that a resource or a user that is executing the action must fulfill (e.g. Item.status=pending and Item.context = user.isDepositor(context)) etc. (Please consider these as "pseudo" expressions, as the real expressions are written in form of a XACML policy) | * Conditions - a condition that a resource or a user that is executing the action must fulfill (e.g. Item.status=pending and Item.context = user.isDepositor(context)) etc. (Please consider these as "pseudo" expressions, as the real expressions are written in form of a XACML policy) | ||
===Solutions and other services=== | |||
Solutions use core services or provide own services that also need to be authorized. | |||
The predefined roles or core services at the moment are more close to the Solution specific roles (especially PubMan solution). | |||
For example, PubMan has roles such as "Depositor", "Moderator", "MDEditor" (these roles are currently among those predefined within the core infrastructure). | |||
But, already within the upcoming releases and introduction of the workflow engine, the actions specified for the roles will have to be "aligned" with the workflow actions i.e. the roles will probably have to be defined for a workflow rather than for a core service method. | |||
A workflow action can thus invoke one or more core service methods on several resource handlers. | |||
===Issues=== | |||
* where to store the role definitions? Is it possible to have the same | |||
Revision as of 09:51, 15 October 2007
Please use this page to discuss in general on the authorization mechanisms for core services, solutions etc.
Core services[edit]
Core services authorize each method of a core service based on a role definition. A role definition can be:
- unlimited (i.e. administrator - can invoke any service method operation)
- limited (i.e. based on properties of the resource )
More details on the core service authorization concept in svn, framework_release, cpt_authorization_authentication
Predefined Roles[edit]
At present there are several pre-defined user roles for core services i.e. author, moderator, editor, etc. These roles are in general derived from some basic requirements of the solutions for PubMan and SWB.
A limited role for the core services is specified as a set of (Resource, Action, Conditions):
- Resource - a resource or subresource (e.g. Item, Item.Component, Item.Metadata, Context) on which an action is executed, where an action is actually a core service method
- Action - an action executed on a resource (e.g. create <resource>, update <resource>, create <subresource>, etc.)
- Conditions - a condition that a resource or a user that is executing the action must fulfill (e.g. Item.status=pending and Item.context = user.isDepositor(context)) etc. (Please consider these as "pseudo" expressions, as the real expressions are written in form of a XACML policy)
Solutions and other services[edit]
Solutions use core services or provide own services that also need to be authorized. The predefined roles or core services at the moment are more close to the Solution specific roles (especially PubMan solution). For example, PubMan has roles such as "Depositor", "Moderator", "MDEditor" (these roles are currently among those predefined within the core infrastructure). But, already within the upcoming releases and introduction of the workflow engine, the actions specified for the roles will have to be "aligned" with the workflow actions i.e. the roles will probably have to be defined for a workflow rather than for a core service method. A workflow action can thus invoke one or more core service methods on several resource handlers.
Issues[edit]
- where to store the role definitions? Is it possible to have the same
- How solutions authorize?
- What solutions authorize?